Saturday, May 07, 2011

Still coping with the aftereffects of a pair of attacks that has compromised as many as 100 million accounts and which caused two online gaming services to be taken offline, Japanese electronics giant Sony is considering offering a reward for information leading to the arrest and prosecution of the attackers, people familiar with the matter say.

The company hasn't reached a final decision concerning whether it will offer a reward, and may decide not to do it at all, but the option is on the table, sources told me today.

… Word of a possible reward offering comes as the Financial Times reported that two members of the hacking group Anonymous have informed the FBI that members of the loosely associated group of activist hackers carried out the attacks that compromised the system and prompted Sony to shut down two of its online gaming services.

… Meanwhile, Sony denied assertions by computer security expert Gene Spafford during a Congressional hearing Thursday that it had been running outdated versions of Web server software and had not been using a firewall on its servers. In a statement from Patrick Seybold, Sony's senior director, Corporate Communications and Social Media, that's expected to be published on Sony's PlayStation blog, the company was using updated software and had "multiple security measures in place."

… Separately, Sony President Kaz Hirai sent a letter to Connecticut senator Richard Blumenthal containing a detailed timeline of the attack and Sony's response to it. The letter contains previously undisclosed details about the attack and the hardware Sony uses to run its gaming services.

On Tuesday, April 19, 2011, the Sony Network Entertainment America (SNEA) network team discovered that several PlayStation Network servers unexpectedly rebooted themselves and that unplanned and unusual activity was taking place on the network.

… On the afternoon of April 20th, SNEA retained a recognized security and forensic consulting firm to mirror the servers to enable a forensic analysis.

… On Thursday, April 21, SNEA retained a second recognized security and forensic consulting firm to assist in the investigation.

… Among other things, the intruders deleted log files in order to hide the extent of their work and activity within the network

… on Sunday, April 24 (Easter Sunday) decided that it needed to retain a third forensic team with highly specialized skills to assist with the investigation. Specifically, this firm was retained to provide even more manpower for forensic analysis in all aspects of the suspected security breach and, in particular, to use their specialized skills to determine the scope of the data theft.

… Throughout the process, SNEA was very concerned that announcing incomplete, tentative or potentially misleading information to consumers could cause confusion and lead them to take unnecessary actions. SNEA felt that it was important - and that it was in keeping with the mandate of state law - that any information SNEA provided to customers be corroborated by meaningful evidence.

Indeed, many state statutes (e.g., AZ, CT, CO, DE, FL, ID, ME, MD, MS, NE, VT, WI, WY) essentially require disclosure without unreasonable delay once an investigation has been done to identify the nature and scope of what happened and who was affected.

… In your letter you suggest that sending 500,000 emails an hour is not expeditious; however this limitation exists because these emails are not "batch" e-mails. The e-mails are individually tailored to our consumers' accounts.

… Unfortunately, our forensic teams still have not been able to rule out that credit card data was taken.

… You have questioned why SOE did not disclose this loss of data from its servers until May 2. The reason was because SOE did not discover that theft until May 1. The intruder carefully covered his or her tracks in the server systems. In fact, as noted above, the discovery was made only after SOE rechecked their machines -- which earlier showed no evidence of theft – using information developed by our forensic experts working in collaboration with our technical teams.

… ln addition to offering this identity theft protection, SNEA has announced a series of steps that it will take – most of which were in progress before this theft occurred – to enhance security before the service is restored. SOE has taken or will take similar steps. Those steps are:

additional automated software monitoring and configuration management to help defend against new attacks;

By every available measure, the level of domestic intelligence surveillance activity in 2010 increased from the year before, according to a new Justice Department report to Congress on the Foreign Intelligence Surveillance Act.

“During calendar year 2010, the Government made 1,579 applications to the Foreign Intelligence Surveillance Court (hereinafter ‘FISC’) for authority to conduct electronic surveillance and/or physical searches for foreign intelligence purposes,” according to the new report (pdf). This compares to a reported 1,376 applications in 2009. (In 2008, however, the reported figure — 2,082 — was quite a bit higher.)

Of these 1,5 1 1 applications, five were withdrawn by the Government. The EISC did not deny any applications in whole, or in part.

… In 2010, the FBI made 24,287 NSL requests (excluding requests for subscriber infomation only) for information concerning United States persons. These sought information pertaining to 14,212 different United States persons.

This could be a handy way to call up all the pages I need to show my students at the start of each class!

Scrible is a new service offering a nice set of tools for highlighting, annotating, and bookmarking webpages. Scribble offers browser bookmarklets for Firefox, Chrome, Safari, and Internet Explorer. With the Scrible bookmarklet installed, anytime you're on a page just click the bookmarklet to launch a menu of bookmarking tools. The Scrible tool set includes highlighters, sticky notes, and font change tools. When you annotate and bookmark a page in Scrible it is saved as it appeared to you when you were done altering it. And as you would expect from a web-based bookmarking tool, you can share your bookmarked pages with others.

A police department laptop computer containing “a fair amount of records” was stolen from a marked cruiser and an on-board camera was damaged while the cruiser was left at an auto dealership for service, said Chief Jon Tretter.

The theft from and damage to the “brand new” cruiser occurred last week when it was parked overnight at Portsmouth Chevrolet where it was left for work on decorative trim, said Tretter. The police chief said he’s been advised that it’s unlikely anyone could access personal information stored on the stolen laptop because the battery is so old it barely functions without a companion power cord. [That's a new one. Bob]

The answer given by Gene Spafford, a security expert and professor of computer science at Purdue University, raises troubling thoughts.

In written testimony to the House Subcommittee on Commerce, Manufacturing and Trade, Spafford highlighted recent data breaches at Sony and at Epsilon.

He wrote: "Both companies are large enough that they could have afforded to spend an appropriate amount on security and privacy protections of their data; I have no information about what protections they had in place, although some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk."

He reportedly said Internet forums openly discussed that the Apache Web server software used by Sony was "unpatched and had no firewall installed." He also reportedly said that these concerns were debated in an open forum that was monitored by Sony employees. [and hackers everywhere. Bob]

… However, one more sentence in the response may offer a clue about Sony's previous priorities. The company is planning to create a brand-new position: chief information security officer.

(Related) This seems to be an escalation of coverage for Identity Theft victims. On the other hand, here's another company that has all your Personal Information (or they don't know what to look for...)

Sony has made a deal with identity-protection firm Debix to offer a service called AllClear ID Plus for free to U.S. customers registered with PlayStation Network or Qriocity prior to the attack two weeks ago, Sony spokesman Patrick Seybold wrote in a blog post today.

… Stringer emphasized that the identity-theft monitoring program the company is offering customers has a "$1 million identity-theft insurance policy" included. Customers will be able to enroll in the program through an activation e-mail they'll receive "over the next few days." Registration will be open till June 18.

[From the blog:

The details of the program include, but are not limited to:

Cyber monitoring and surveillance of the Internet to detect exposure of an AllClear ID Plus customer’s personal information, including monitoring of criminal web sites and data recovered by law enforcement.

As the industry continues to come to terms with the wider implications of the PSN breach, Nintendo has contacted Club Nintendo members about the introduction of a new privacy policy.

As part of it, the company asks permission to gather information from users. Users who don’t check or agree to the new policy will from May 31st be unable to spend any Stars in their personal Stars Catalogue and their membership will be cancelled.

At first I thought I must have misunderstood – would Nintendo really cancel accounts if people declined to share their information? Seems like they will, though. As another site reports, here’s what the email to users said:

Please review our new Privacy Policy by logging into your Club Nintendo account. Once you have read the information displayed upon logging in, please use the appropriate buttons to either ACCEPT or DECLINE this new Privacy Policy.

Please note that if we haven’t received your answer by 31st May, 2011, or if you choose to DECLINE our new Privacy Policy, you will from that day onwards no longer be able to use your Stars in the Stars Catalogue, as we will be forced to deactivate your Club Nintendo membership. No matter what you decide, you can still use your Stars and enjoy all the other benefits of Club Nintendo membership until 31st May, 2011.

So Nintendo has seemingly implemented an “opt-in or f**k off, bugger!” privacy policy. We’ll see how that works out for them.

With some fanfare, the Wall Street Journal launched a new whistleblower site, SafeHouse. It didn’t take long for Jake Appelbaum to find the holes in it and if you were on Twitter yesterday, you could see a steady stream of tweets from @ioerror (Appelbaum), pointing out concerns. Adrian Chen writes:

The Wall Street Journal is trying to make a play for whistleblowers with its very own Wikileaks clone, SafeHouse. But SafeHouse is the opposite of safe, thanks to basic security flaws and fine print that lets the Journal rat on leakers.

SafeHouse, which launched today to much fanfare, promises to let leakers “securely share information with the Wall Street Journal,” by uploading documents directly to its servers, just like Wikileaks! But unlike Wikileaks, SafeHouse includes a doozy of a caveat in its Terms of Use:

"Open Planet [24/7 ubiquitous surveillance system] is not a technological fantasy. Most of the architecture for implementing it already exists, and it would be a simple enough task for Facebook or Google, if the companies chose, to get the system up and running: face recognition is already plausible, storage is increasing exponentially; and the only limitation is the coverage and scope of the existing cameras, which are growing by the day. Indeed, at a legal Futures Conference at Stanford in 2007, Andrew McLaughlin, then the head of public policy at Google, said he expected Google to get requests to put linked surveillance networks live and online within the decade. How, he, asked the audience of scholars and technologists, should Google respond?"

Will it be possible for citizens to decide to stop using the cards? How would any government react to a “Privacy Spring?”

China is working on creating a more comprehensive national identity card and database for mainland citizens to improve the efficiency of maintaining social order, a Communist Party-run magazine has reported.

It was time for systematic “perfection of citizen identification registration and management,” wrote Zhou Yongkang, a member of the Standing Committee of the Political Bureau of the Central Committee of the Communist Party of China (CPC) in the latest issue of Qiushi, a biweekly official journal of the CPC Central Committee.

[...]

It had become urgent to establish a system to identify a citizen solely by a single identity card, Zhou argued, including information such as social security, family planning status, housing status, education, taxation, commercial and other financial information.

Related departments should deploy the identification card system to establish a national database, “to better manage and serve the country’s citizens,” Zhou wrote.

The Department of Homeland Security has requested that Mozilla, the maker of the Firefox browser, remove an add-on that allows web surfers to access websites whose domain names were seized by the government for copyright infringement, Mozilla’s lawyer said Thursday.

But Mozilla did not remove the MafiaaFire add-on, and instead has demanded the government explain why it should. Two weeks have passed, and the government has not responded to Mozilla’s questions, including whether the government considers the add-on unlawful and whether Mozilla is “legally obligated” to remove it. The DHS has also not provided the organization with a court order requiring its removal, the lawyer said.

… The add-on in question redirects traffic from seized domains to other domains outside the United States’ reach. Since last year, the U.S. government has seized at least 120 domains in an antipiracy assault known as “Operation in Our Sites.” The domains are taken under the same federal statute used to seize drug houses.

For the U.S. government, the raid on Osama bin Laden's compound in Pakistan represents a unique opportunity to test advanced computer forensics techniques called "media exploitation" that it's developed over the last few years.

The military's acronym for the process is DOMEX, which one Army team in Iraq cheekily sums up with this motto: "You check their pulse, we'll check their pockets."

The electronic gear hauled away by an assault team of Navy SEALs reportedly included five computers, 10 hard drives, and scores of removable media including USB sticks and DVDs. Some reports say the forensic analysis is taking place at the CIA's headquarters in Langley, Va., while others have placed it at a "secret location in Afghanistan." (See list of related CNET stories.)

While the U.S. government isn't exactly volunteering what's happening now, the Army has confirmed in the past that it provides "tactical DOMEX teams" to troops in Afghanistan. And a Defense Department directive (PDF) from January 2011 says the National Media Exploitation Center, or NMEC, will be the "central DoD clearinghouse for processing DoD-collected documents and media," a category that would include the bin Laden files.

… The NMEC support job, which requires a Top Secret security clearance, calls for "complete training in EnCase Forensic Software up through the EnCase Advanced training course or equivalent." A bachelor's degree in computer engineering is preferred. So is proficiency in "creating databases in MS Access and SQL."

Via LLRX.com - The Age of Innocence: Actual, Legal and Presumed: Ken Strutin reasons that any accounting of the justice system would put the presumption of innocence at the top of the ledger. The premise underlying this evidentiary rule is that no one should be found guilty of a crime unless the state has convinced a jury with proof beyond a reasonable doubt. The materials Ken has researched and documented for this guide focus on the drift from unitary innocence, which encompasses all possible claims to a wrongful conviction, to factual innocence rooted in exoneration jurisprudence. According to some scholars, factual exonerations may have confounded the wisdom behind the Blackstone Ratio and its overarching message, i.e., criminal law and procedure ought to be weighted in favor of innocence to avoid wrongful conviction, even if there is a chance that the guilty will benefit as well. In other words, a system of justice that is fair to all and seeks to protect the innocent from wrongful prosecutions must apply safeguards that will be over inclusive. The calculations of truth and fairness are rooted in a system of justice based on due process (or a presumption of due process). The scholarship collected here attempts to address questions of whether the concept of innocence is selective or categorical.

What is the purpose? If it's just raising money, then “per mile” is sufficient. If it is to “encourage us to 'go green' then an MPG factor and a 'rush hour' surcharge will be added. Of course, states (counties, cities, school districts, etc.) will want to pile on. Sounds like a real boondoggle...

"The Hill reports that the Obama administration has floated a transportation authorization bill that would require the study and implementation of a plan to tax automobile drivers based on how many miles they drive. The plan is a part of the administration's 'Transportation Opportunities Act,' and calls for spending $200 million to implement a new Surface Transportation Revenue Alternatives Office tasked with creating a 'study framework that defines the functionality of a mileage-based user fee system and other systems.' The office would be required to consider four factors — the capability of states to enforce payment, the reliability of technology, administrative costs, and 'user acceptance' — in field trials slated to begin within four years at unspecified sites. Forbes suggests the so-called vehicle miles traveled (VMT) tax should be called the Rube Goldberg Gas Tax, because while its objective is the same as the gas tax, the way it collects revenue is extremely complex, costly and cumbersome."

The disclaimers are thick on the ground, though; note, this is an "early draft," not pending legislation.

"Researchers from the Human Media Lab at Canada's Queen's University have created a fully-functioning floppy E-Ink smartphone, which they also refer to as a paper computer. Like its thicker, rigid-bodied counterparts, the Paperphone can do things like making and receiving calls, storing e-books, and playing music. Unlike them, however, it conforms to the shape of its user's pocket or purse, and can even be operated through bending actions."

[From the article:

When not actually being operated, the Paperphone consumes no electricity. Vertegaal's team have also created a similar device, the Snaplet, which can be worn like a wristband. It operates as a watch when in a convex state, becomes a PDA when flat, and can be used as a phone when turned concave.

"[Game developer David] Braben has developed a tiny USB stick PC that has an HDMI port on one end and a USB port on the other. You plug it into an HDMI socket and then connect a keyboard via the USB port, giving you a fully functioning machine running a version of Linux. The cost? $25. The hardware being offered is no slouch either. It uses a 700MHz ARM11 processor coupled with 128MB of RAM and runs OpenGL ES 2.0, allowing for decent graphics performance with 1080p output confirmed. … We can expect it to run a range of Linux distributions, but it looks like Ubuntu may be the distro it ships with. That means it will handle web browsing, run office applications, and give the user a fully functional computer to play with as soon as it's plugged in. All that and it can be carried in your pocket or on a key chain."

Perspective. Apparently, having immediate access to a global market is good for business...

18 months ago, Groupon didn’t exist. Today, it has over 70 million users in 500-odd markets, is making more than a billion dollars a year, has dozens if not hundreds of copycat rivals, and is said to be worth as much as $25 billion.

… But first it’s worth looking at the innovation in the name of the company: the idea that coupons only become activated once a certain minimum number of people have signed up for them. This is essentially a guarantee for the merchant that the needle will be moved, that their effort won’t be wasted. With traditional advertising or even with old-fashioned coupons, a merchant never has any guarantee that they will be noticed or make any difference.

But with a Groupon, you know that hundreds of people will be so enticed by your offer that they’re willing to pay real money to access it. That kind of guaranteed engagement is hugely valuable, and more or less unprecedented in the world of marketing and advertising.

Sony blames Anonymous for PlayStation hack but confirms it has not identified those responsible

In a letter to the US Congress, Kazuo Hirai, Sony Computer Entertainment chairman of the board of directors, claimed that Sony had been investigating the intrusion around the clock and what had become ‘more and more evident is that Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes'.

He went on to say that when data being stolen was discovered, a file was also found on the server that was named ‘Anonymous' with the words ‘we are Legion'.

… Sony went on to confirm that unauthorised activity was detected on the afternoon of Tuesday 19th April, with a discovery that data had been transferred off the servers without authorisation the next day, causing the shut down of the network. [So they “discovered” a problem but were unable to stop the theft of data? Bob] The FBI was notified on 22nd April and details were given to law enforcement on Wednesday 27th April.

… Robin Adams, director of security, fraud and risk management at The Logic Group, said: “I wonder if Sony are aware of the Payment Card Industry Data Security Standard (PCI DSS) since they are very effectively stating their non-compliance? The PCI DSS control 3.1 states that cardholder data must be kept to a minimum and that a data retention and deletion policy must be implemented, which involves a process for the secure deletion of cardholder data when it is no longer required. I would suggest outdated credit card databases fall fairly under this category.

“Not only that but the PCI DSS Prioritised Approach categorises the 220 plus controls into six risk levels and control 3.1 is one of only eight controls considered severe enough to be put in at risk level 1. In these litigious days one can only assume that the Sony lawyers and Marcom staff who proofread this statement had been missing during the security awareness training.”

The massive data breaches at Sony and the US organisers of the X-Factor reality television show, indicate cyber criminals may be changing tactics, says security firm SecureEnvoy.

The hack of the Fox television network's database of competition entrants is the latest in a string of attacks on corporate servers to extract personal data, suggesting cybercriminals are now building information profiles on people, rather than developing frauds around available credentials, says Andy Kemshall, technical director of SecurEnvoy.

Attacks on Sony's PlayStation Network and Online Entertainment services and the Epsilon systems are the most high-profile reports of corporate servers being hacked, he says, but there have been many more less-reported intrusions, suggesting cybercriminals are now actively compiling data on large numbers of people for longer-term fraud.

… Andy Kemshall says it is easy to see a pattern emerging in these attacks. "Previously, frauds were card-centric and built around opportunistic database hacks, but the sheer volume of the system hacks in recent months suggests a longer-term strategy."

Security researchers are already reporting that names and unique identifiers such as social security/national insurance and address details, are being bought and sold on underground forums, along with dates-of-birth, e-mail addresses and other personal data.

"Our observations suggest this data is being compiled into one or more databases, meaning low-level frauds can be carried out on a steady basis, bursting into periods of high activity when the people's debit or credit card details become available," said Kemshall.

Via CDT - The Threat of Data Theft to American Consumers: "Two high profile data (Sony's Playstation and Epsilon) breaches have grabbed headlines lately because of their recency, data breach is a major longstanding problem for consumers, businesses and government. According to Privacy Rights Clearinghouse, a staggering 600 million records have been breached due to the roughly 2,460 data breaches made public since 2005. According to a 2010 Ponemon benchmark study, the cost of data breaches to businesses – in terms of preventing, detecting, and notifying individuals of breach, as well as legal defense and lost business opportunities – have risen considerably over the past several years. Consumers whose personal information is lost or stolen in data breaches face increased risks of identity theft, spam and phishing attacks, reduced trust toward services on which they depend, and sometimes humiliating loss of privacy over sensitive medical conditions."

With so many passwords to remember, lots of us store our passwords online. That makes these systems a BIG target... Note that they are following at least a few Best Practices...

We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.

We take a close look at our logs and try to explain every anomaly we see. [Yes! Bob] Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.

… For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on.

We don't have a lot that indicates an issue occurred but it's prudent to assume where there's smoke there could be fire. We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself.

A warning of things to come? An opportunity for my Computer Security students? Clearly a victory of Marketing over Customer Service – “We'll sell it to you, but you're too ignorant to use it?”

"With a series of major data breaches over the past few months, you'd think more and more companies would be investing in data protection software, which can help keep data secure even on systems that have been compromised. Unfortunately, even organizations that have paid good money for this software often don't use it, because, as one of the vendors admits, it's often too complicated to use."

An order last week from the U.S. District Court for the Central District of California has revealed the FBI lied to the court about the existence of records requested under the Freedom of Information Act (FOIA), taking the position that FOIA allows it to withhold information from the court whenever it thinks this is in the interest of national security. Using the strongest possible language, the court disagreed: “The Government cannot, under any circumstance, affirmatively mislead the Court.”Islamic Shura Council of S. Cal. v. FBI (“Shura Council I”), No. 07-1088, 3 (C.D. Cal. April 27, 2011) (emphasis added).

… In the first quarter of 2011, comScore estimates that 1.1 trillion ads were served to U.S. Internet users, and 346 billion of those (or 31 percent) were on Facebook.

… Facebook has the volume, but it is also beginning to experiment with new forms of ads which are themselves more social. These ads look more like News items shared by friends than typical display ads. Until those start kicking in, however, Facebook can just keep putting display ads on its ever-growing share of pages people look at on the Internet.

Want to know what’s really going on? Read the documents behind the news. Journalists strive to summarize complex documents, but sometimes its nice to read source material in its entirety. Thanks to DocumentCloud, a web service partnered with various media organizations, now you can.

… DocumentCloud aims to give media organizations a place to submit their own news documents source material for the public to view it. It’s a supplement to what you get from the newspaper or television, not an alternative to it.

… DocumentCloud is unique in that it allows media organizations to partner with it. Current partners are listed here, and include a lot of big names in North American journalism.

Earlier today, PSU reported that Sony Online Entertainment had shut down its game servers after confirming that 24 million accounts had been compromised. The main fear from users of the service was that stolen data from credit cards linked to the accounts had landed in the hands of hackers. A later report stated that 12,700 customers’ credit card numbers may have been stolen, alongside personal information from approximately 24.6 million SOE accounts. SOE has now revealed, via GamesIndustry.biz, that only “900” of the credit cards on record were still active when stolen. [Obfuscation check: Does this mean all the other cards had been canceled (how would they know that?), OR that they were not waiting for payment on the other cards? Bob]

For my Computer Security students. This is another small breach (I normally wouldn't mention it) but it does illustrate how the Public Relations folks can “invent” security and mitigation where none exists...

Speare Memorial Hospital in Plymouth (New Hampshire) is warning patients that a laptop computer with patient information was stolen last month.

Officials said the computer was in an employee’s locked car in Boston on April 3. It contained patient names, addresses, hospital account numbers, medical record numbers, and other patient and health information.

With one exception, no Social Security numbers, insurance information or credit card information was on the computer.

Okay, now that would have been bad enough – after all, what were such sensitive data doing on a laptop without encryption and then just left in an employee’s car? But the notification gets much worse from my perspective:

Hospital spokeswoman Michele Hutchins said the hospital believes the information might not be on the laptop any longer.

“Most likely this computer has been scrubbed, because the person who took it is was most interested in the hardware, but you can’t assume that,” she said.

That is just pure speculative bulls**t. [Don't hold back, tell us how you feel... Bob] It is self-serving and minimizes the risk – and may mislead patients into not taking immediate and necessary steps to protect themselves.

For my money, breached entities should be be barred from making such statements.

The hospital said it immediately notified the nearly 6,000 patients affected and is working to beef up security. The employee who had the laptop has resigned. [...and his manager and the security manager? Bob]

“That management level administrator has since resigned because the confidential information was only designed to stay on the hospital’s secure server and not be saved on the hard drive of a portable computer,” said Michele Hutchins, hospital spokeswoman.

What do they mean “designed to stay on the secure server?” What prevented it from being downloaded to a portable device other than instructions to employees of “don’t do this?”

Seriously. When I read breach disclosures like this one, I really wish the government would just start handing out stiff fines.

Speare Memorial Hospital has been alerted that a laptop computer containing protected health information was stolen from an employee’s secured, parked automobile on April 3, 2011. The computer was password protected, however that does not afford complete protection from unauthorized access. The protected health information on the computer included patient names, and in some instances: patient addresses, hospital account numbers, medical record numbers, physician names, dates of service, procedure codes, and diagnosis codes.

Speare Memorial Hospital is fully committed to protecting all of the information that our patients have entrusted to us. Upon learning of this incident the day after, we immediately undertook a process to identify the extent of information on the computer [because up til then, we had no clue there was data on the laptop. Bob] and have sent a letter of notification to the patients affected by this potential breach. Additionally, we have engaged experts to assist us in identifying additional safeguards that would strengthen our current security measures, and a police report has been filed.

We sincerely regret this incident. Protecting our patients’ personal and health information privacy is very important to us and we will continue to do everything we can to correct this situation and fortify our security protections. We will be monitoring for any indication of misuse of patient information, and recommend that patients review their future hospital account statements closely. [Isn't there more serious risk of someone using the ID information leaked to obtain free medical services and then that medical data being entered on a patient's medical history? That could screw up future medical decisions and insurance records... Bob]

So why does the notice say “potential breach?” THE DATA WERE STOLEN. And describing the employee’s car as “secured?” Seriously – a locked car is “secured?” Stop minimizing this, Speare.

Two companies that maintain large amounts of sensitive information about the employees of their business customers, including Social Security numbers, have agreed to settle Federal Trade Commission charges that they failed to employ reasonable and appropriate security measures to protect the data, in violation of federal law. Among other things, the settlement orders require the companies to implement comprehensive information security programs and to obtain independent audits of the programs every other year.

The settlements with Ceridian Corporation and Lookout Services, Inc. are part of the FTC’s ongoing efforts to ensure that companies secure the sensitive consumer information they maintain. In complaints filed against the companies, the FTC charged that both Ceridian and Lookout claimed they would take reasonable measures to secure the consumer data they maintained, including Social Security numbers, but failed to do so. These flaws were exposed when security breaches at both companies put the personal information of thousands of consumers at risk. The FTC challenged the companies’ security practices as unfair and deceptive.

According to the FTC’s complaint against Ceridian, a provider to businesses of payroll and other human resource services, the company claimed, among other things, that it maintained “Worry-free Safety and Reliability . . . Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.” However, the complaint alleges that Ceridian’s security was inadequate. Among other things, the company did not adequately protect its network from reasonably foreseeable attacks and stored personal information in clear, readable text indefinitely on its network without a business need. These security lapses enabled an intruder to breach one of Ceridian’s web-based payroll processing applications in December 2009, and compromise the personal information – including Social Security numbers and direct deposit information – of approximately 28,000 employees of Ceridian’s small business customers.

The other company, Lookout Services, Inc., markets a product that allows employers to comply with federal immigration laws. It stores information such as names, addresses, dates of birth and Social Security Numbers. According to the FTC’s complaint against Lookout, despite the company’s claims that its system kept data reasonably secure from unauthorized access, it did not in fact provide adequate security. For example, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a web browser. In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. As a result of these and other failures, in 2009, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the Social Security numbers of about 37,000 consumers.

The settlement orders bar misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers. They require the companies to implement a comprehensive information security program and to obtain independent, third party security audits every other year for 20 years.

The FTC will publish a description of the consent agreement packages in the Federal Register shortly. The agreements will be subject to public comment for 30 days, beginning today and continuing through June 2, after which the Commission will decide whether to make them final.

Facing mounting criticism of her handling of her office’s massive data breach, Texas Comptroller Susan Combs has apologized for the security lapse that exposed personal information on 3.5 million citizens and has agreed to pay for identity restoration services out of her campaign fund.

Okay, her campaign fund isn’t exactly the same as her personal checking account, but still, I find this unusual and don’t remember ever seeing anyone in government ever dipping into their own campaign or resources to help defray the costs of a data breach. Can you remember anything like this before?

“Of course. You don't think we trust our customers do you?” (Just like Lower Merion High School spied on their students...)

Built-in webcams are becoming more and more common in computers these days, and in turn, they are becoming more and more of a liability. A Wyoming couple is now accusing national rent-to-own chain Aaron’s Inc. of spying on them at home using their rented computer’s webcam without their knowledge. Aaron’s also allegedly used a keylogger and took regular screenshots of the couple’s activities on the machine, leading the couple to file a class-action lawsuit in the US District Court for the Western District of Pennsylvania.

(Related) Extending the “pat down” I can see TSA ordering thousands of these and requiring anyone wanting to fly to swallow one 24 hours before the flight in case they eat anything suspicious! “Hey, we've got traces of felafel over here! Call out SWAT!”

"Medigus has developed what it claims is the world's smallest video camera at just 0.039-inches (0.99 mm) in diameter. The Israeli company's the second-gen model (a 0.047-inch diameter camera was unveiled in 2009) has a dedicated 0.66x0.66 mm CMOS sensor that captures images at 45K resolution and no, it's not destined for use in tiny mobile phones or covert surveillance devices, instead the camera is designed for medical endoscopic procedures in hard to reach regions of the human anatomy."

On April 21, 2011, the Austrian Data Protection Commission (“Austrian DPA”) published its decision allowing Google to register its Google Street View application on the Austrian DPA’s data processing register. As part of the registration procedure, Google agreed to blur images of faces and license plates prior to publishing them on the Internet, and to provide information to the public about the right to object to publication of certain images.

[...]

On March 30, 2011, the Federal Administrative Court of Switzerland (the “Court”) issued its ruling on a previous opinion by the Swiss Data Protection Authority (“Swiss DPA”) concerning Google Street View. The Court found in favor of the Swiss DPA, which initially brought the claim in November 2009.

People can find your location from the smart phone pictures you upload on the web. It's called geotagging. Every time you snap a photo and post it online, your phone could be sending out metadata.

Metadata is detailed information contained within the photo file, including the date, time and exact GPS location when you took the picture. If you post them online, a complete stranger can click on your pictures and find out your location when you took them, sometimes within a matter of feet.

People who upload numerous online photos may be unknowingly posting a pattern of their behavior, available to anyone with a computer.

Here's how you can disable geotagging on different types of smart phones.

"The first dynamic Android firewall, dubbed WhisperMonitor, has been released by respected security researcher Moxie Marlinspike. The firewall will allow users to stop location-tracking apps and restrict connection attempts by applications. Marlinspike, whose company created the application, designed WhisperMonitor in response to the incidence of location tracking and malware on Android platforms. It monitors all outbound connection attempts by applications and the operating system, and asks users to permit or block any URLs and port numbers that are accessed."

No more than a license plate identifies a driver. But if they tow your car, who get to pay the fine? Still, you gotta admire a judge who won't be blinded by baffling techno-babble.

"A possible landmark ruling in one of the mass-BitTorrent lawsuits in the US may spell the end of the 'pay-up-or-else-schemes' that have targeted over 100,000 Internet users in the last year. District Court Judge Harold Baker has denied a copyright holder the right to subpoena the ISPs of alleged copyright infringers, because an IP-address does not equal a person. Among other things, Judge Baker cited a recent child porn case where the US authorities raided the wrong people, because the real offenders were piggybacking on their Wi-Fi connections. Using this example, the judge claims that several of the defendants in VPR's case may have nothing to do with the alleged offense either. ... Baker concludes by saying that his Court is not supporting a 'fishing expedition' for subscribers' details if there is no evidence that it has jurisdiction over the defendants."

The key to success with this or any other data-recovery solution is to immediately stop using whatever media contains the missing data--memory card, hard drive, flash drive, smartphone, etc. That's because any additional write activity can more permanently erase or damage the files you're trying to recover.

Recuva is compatible with Windows XP and later. It's one of those freebie gems everyone should keep on hand in case of emergency. (There's also a portable version you can keep on your flash drive, phone, or whatever for anytime, anywhere use--no installation required.) Here's hoping you never need it! (But, for heaven's sake, make backups, people!)

As we previously reported, all Sony Online Entertainment services, games, forums and web sites went offline this morning as a result of the recent Playstation Network intrusion. SOE just issued an announcement, and it appears that the personal information of players may have been compromised. Here are the details straight from SOE:

“Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems. We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password.”

SOE goes on to state that there is no evidence that their main credit card database was compromised. However, SOE is warning customers outside of the United States that credit and debit card information from an outdated database from 2007 may have been obtained. Affected customers will be notified.

more than 12,700 customers’ credit card numbers may have been stolen. SOE believes hackers stole customer information on April 16 and April 17. Engineers and security consultants reviewing SOE systems discovered that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The outdated database had approximately 12,700 non-U.S. credit or debit card numbers and expiration dates, but no security cards. There may also have been 10,700 direct debit records stolen from customers in Austria, Germany, Netherlands, and Spain.

Given the attacks on the PlayStation Network, SOE had already undertaken an intensive investigation into its system. Upon discovering the additional information, SOE shut down all servers related to SOE services while it reviewed and upgraded all of its online security.

The press release went on to say, “Sony is making this disclosure as quickly as possible after the discovery of the theft, and the company has posted information on its website and will send e-mails to all consumers whose data may have been stolen.”

Sony has declined to testify at a Congressional hearing on Wednesday, “The Threat of Data Theft to American Consumers,” that seeks to understand how consumers’ private data is protected by corporations.

Asher Moses reports that Sony’s delay of several days in disclosing its mammoth data breach has increased the push for stronger privacy and breach disclosure laws in Australia:

The federal government will introduce laws forcing companies to disclose privacy breaches after Sony revealed that more than 1.5 million Australian user accounts were compromised in the recent attack on its PlayStation Network.

The stolen information include names, addresses, birthdays, email addresses and log-in passwords. Of the 1,560,791 Australian accounts that were affected, 280,000 had credit card details, but these were encrypted and there had been no reports of fraudulent activity, Sony said.

The Privacy Minister, Brendan O’Connor, said he was ”very concerned” about the theft of personal information and expressed disappointment that Sony took ”several days” to inform customers about the breach. This meant a mandatory ”data breach notification” system now ”appears necessary”, he said.

E-mail services firm Epsilon will face years of repercussions and up to $225 million in total costs as a result of its recent data breach, a massive event that indicates the often overlooked risk of cloud-based computing systems, according to a report by CyberFactors.

The recent breakdown of Amazon’s cloud computing services that disrupted services to popular sites like Foursquare and Quora is another example of a cloud failure that could prove extremely costly in the long run – and a hint of more troubles on the horizon.

The Epsilon breach may have affected 75 companies or 3% of Epsilon’s customers, not 2% as previously reported, and could eventually cost these companies as much as $412 million, for a total event cost of $637 million. Further, CyberFactors conservatively estimated the number of affected e-mails in the Epsilon breach at 60 million.

The total cost of the Epsilon breach – including forensic audits and monitoring, fines, litigation and lost business for provider and customers – could eventually run as high as $3 billion to $4 billion, according to CyberFactors, given that the compromised e-mail addresses could be used by phishers to gain access to sites that contain consumers’ personal information.

“While the attractiveness of the cloud model is hard to refute, the economics of business risk for cloud providers and their customers can no longer be ignored,” said Regina Clark, Research and Analytics Director, CyberFactors. “With the cost of technology failures rising at an accelerated rate, the Epsilon event suggests a much more profound financial risk environment is now upon us. Cloud companies would be wise to think more like banks, insurance companies and hedge funds, and not just aggregators of the world’s precious data and technology dependencies.”

Other results of the research on the Epsilon breach:

51% of the costs related to the Epsilon data breach will occur in year one, 42% in year two, and 7% in year three and thereafter

Loss of revenue related to customer churn as part of the Epsilon breach fallout could range from $6.1 million if just 1% of customers left, to $30.7 million if there were 5% churn.

CyberFactors research shows that since 2005, data events have cost individual affected companies in the range of $5.5 million to $12.8 million, depending on the industry and assuming no liability claims.

MB Quirk of The Consumerist cites an email from Best Buy to its customers – and no, this is apparently not the Epsilon breach, but yet another breach involving Best Buy customers:

Dear Valued Best Buy Customer,

We have discovered that a former business partner’s files containing the email addresses of some Best Buy customers were accessed without authorization. For your security, we wanted to call this matter to your attention.

We believe the only information taken was your email address, and that no other information was accessed. [What “other information” did they have? Bob] We do not believe that Best Buy was specifically targeted in this breach. We are continuing to investigate the situation, and are working closely with the appropriate officials to explore all possibilities.

"VMware's new Cloud Foundry service was online for just two weeks when it suffered its first outage, caused by a power failure. Things got really interesting the next day, when a VMware employee accidentally caused a second, more serious outagewhile a VMware team was writing up a plan of action to recover from future power loss incidents. An inadvertent press of a key on a keyboard led to 'a full outage of the network infrastructure [that] took out all load balancers, routers, and firewalls... and resulted in a complete external loss of connectivity to Cloud Foundry.' Clearly, human error is still a major factor in cloud networks."

Privacy settings and other technological controls used to protect privacy have been justifiably criticized a bit lately. Danielle Citron recently blogged at Concurring Opinions about an important new study conducted by Columbia’s Michelle Madejski, Maritza Johnson and Steve Bellovin that found that Facebook’s default privacy settings fail to capture real-world expectations. The United Kingdom Government has recently indicated that browser settings alone cannot be used by Web users to give consent to being tracked online [Now that's interesting! Bob] under a new EU law. The Government’s rationale for this decision was that these browser settings were not flexible enough to reflect a user’s true privacy preferences. The general consensus seems to be that most privacy settings simply aren’t that good at protecting the actual information we consider private in a given context.

Facebook Inc., the social-networking site, was sued for not getting permission to display notices that minors “like” Facebook advertisers’ products.

The lawsuit seeks class action status on behalf of Facebook users in New York state under the age of 18 who had “their names or likenesses used on a Facebook feed or in an advertisement sold by Facebook Inc. without the consent of their parent or guardian.”

"Here we have the world’s most comprehensive database about people, their relationships, their names, their addresses, their locations and the communications with each other, their relatives, all sitting within the United States, all accessible to US intelligence. Facebook, Google, Yahoo – all these major US organizations have built-in interfaces for US intelligence. It’s not a matter of serving a subpoena. They have an interface that they have developed for US intelligence to use. Now, is it the case that Facebook is actually run by US intelligence? No, it’s not like that. It’s simply that US intelligence is able to bring to bear legal and political pressure on them. And it’s costly for them to hand out records one by one, so they have automated the process. Everyone should understand that when they add their friends to Facebook, they are doing free work for United States intelligence agencies in building this database for them."

Even when it “sounds like a good idea,” it pays to actually test your process to see if it works!

It appeared the current state of the technique doesn’t allow proper verification (n=1) on the basis of the stored data (let alone identification). Fingerscan verification tests by the government show failure rates of 20-25%. This issue raises serious questions on a European scale about EU Regulation 2252/2004, which is at the basis of the biometric passport in Europe. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:385:0001:0006:EN:PDF

After the change of legislation two fingerprints of all citizens above 12 years will be stored only during the production time of the (RFID chip of the) biometric passport. The national ID card will contain fingerprints only on a voluntary basis in the near future.

Dubbed Open Court, the project will have cameras and microphones operating today in the Quincy court’s first criminal session. At the same time, the court’s proceedings will be streamed live over the Internet at the new website created solely for Open Court — to give the public an unfiltered view of court proceedings. The site is www.opencourt.us.

… In that same courtroom there will be an operating Wi-Fi network and reserved space for citizen bloggers who want to post to the Internet.

… In a summary of the ideas underlying the experiment, Davidow and supporters write that the traditional window into courts — journalism — no longer has the resources it once had. [Not sure how that “justifies” streaming from the court... Bob]

… The camera will also be shut off when required under existing court rules and for domestic violence cases. [Are these normally “closed” to the public? Bob]

We've upgraded to Office 2010, now I can learn how to use it! What a concept...

This manual, by author Matt Smith, points out all the best new features of Microsoft’s latest office suite, and explains them all in one handy guide. In most programs, it’s not hard to find every single feature, but Office 2010 is so expansive that even veteran users will often find that they aren’t expert in even half of the capabilities the software offers.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.